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(57) Abstract 



A remote access server limits access to a local computer network. The server includes at least one communication port for allowing 
communication with a remote computer and at least one network port for coupling to a local computer network to allow communication 
with the local computer network. The server also includes processing electronics which control the communication and network ports. The 
processing electronics also receive a user identification string from the communication port. The string having been entered by a remote 
user at a remote computer, and it identifies the remote user. The server uses the string to access a database and determine at least one 
access filter associated with the string. The access filter is used to prevent the remote computer from communicating with at least one 
predetermined resource on the local computer network. The database includes a user identification string for each remote user and at least 
one access filter for each user identification string. The server allows the remote computer to access the local computer network and to 
communicate on the local computer network, but the remote computer is prevented from communicating with the predetermined resource 
because of the access filter associated with the remote user. 
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APPARATUS AND METHOD 
FOR RESTRICTING ACCESS TO A LOCAL COMPUTER NETWORK 

5 Field of the Invention 

This invention relates to an apparatus and method 
for restricting a remote user's access to a local 
computer network , and more particularly to a remote 
access server which restricts the access. 

10 

Background of the Invention 
The client-server computer networking model allows 
organizations of all sizes to utilize group 
productivity products such as e-mail. Many business 
15 organizations have grown to rely heavily on network 
services. Employees who travel typically need to 
access the same network services and resources provided 
to them at work. Field offices also frequently need to 
access the headquarter ' s network services. The term 

20 "telecommuter" has been used to describe an employee 
who stays at home and conducts business by accessing 
the network services provided at the traditional 
worksite. These types of users are sometimes referred 
to as "remote" because they typically are located in a 

25 physically remote place from the networks and because 
they do not connect to the networks locally or 
directly. Remote users typically connect to the 
networks via telephone lines. The terms "remote 
access" and "remote networking" are used to identify 

30 the situation in which a remote user accesses a 
computer network over analog or digital telephone 
lines . 

A remote user generally can utilize any type of 
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computer to access the network. The computer can be, 
for example, a personal computer, a workstation, or a 
portable computer such as a laptop computer or a 
notebook computer. Also, the computer can be, for 
5 example, an IBM PC or compatible, an Apple Macintosh, 
or a Unix-based computer. The user typically connects 
a modem or similar communication device to a serial 
port of the computer. The modem connected to the 
user's remote computer communicates over the telephone 

10 lines with another modem which is coupled to a server. 
The other modem and the server are located at the 
network which the remote computer is attempting to 
access. The server is coupled directly to the network. 
It is the server which provides the remote computer 

15 with controlled access to the network and the services 
and resources thereon. The server is referred to as a 
"remote access server," and it typically includes a 
serial port for connecting to the other modem, a port 
for connecting to the network, and electronics which 

20 include at least a microprocessor and memory. 

It is desirable for the remote access server to 
have a variety of features. For example, the remote 
access server should make accessing the network 
transparent to the remote user. The remote access 

25 server also should be easy for a network manager to 
install and maintain. 
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Summary of the Invention 
It is an object of the invention to provide a 
remote access server which allows one or more remote 
computers to access simultaneously a local computer 
5 network, even if each of the remote computers employs a 
different protocol (e.g., IPX, TCP/IP, AppleTalk, 
NetBEUI , or 802.2/LLC) . 

It is another object of the invention to provide a 
remote access server which provides user authentication 
10 and security features. One aspect of these features is 
that the server can restrict access to the network on a 
per-user basis. The remote access server controls a 
remote user's access to the various network services 
and resources by locating and utilizing one or more 
15 access filters for that remote user. The server 

ensures that each remote user has a particular set of 
access filters assigned to him or her every time that 
remote user makes a remote access connection to the 
network via the server, even though that remote user 
2 0 may utilize a different remote computer every time a 
remote access connection is made. The server uses a 
user identification string, which is entered into the 
remote computer by the remote user, to retrieve from a 
server-internal or server-external database the access 
25 filters associated with that remote user. The database 
typically is centrally maintained by a network manager 
with authority to add and delete remote users and 
access filters. 

The remote access server uses the access filters to 
30 control the remote users' access to the network and the 
services, resources, and devices available thereon. 
The server typically limits a remote user's network 
access to one or more network "zones" and/or one or 
more network devices. Zones are pre-defined groups of 



WO 96/05549 



PCT/US95/08900 



devices on the network, and devices can include 
computers coupled directly to the local network, 
various servers (e.g., e-mail, database, etc.) and 
various other network nodes such as printers and 
5 plotters. 

Because it has the power to control a remote user's 
access to the resources of the network, the remote 
access server can ensure that only certain remote users 
are allowed access to certain resources of the network, 

10 such as only those resources listed in the database. 
If the server locates an access filter for a remote 
user which indicates that the remote user should* not 
have access to a particular zone or device, that remote 
user will not be allowed to communicate with that zone 

15 or device regardless of the remote computer used in the 
attempt to gain access. The remote user will, however, 
be able to communicate with other non-restricted parts 
of the network. The network restrictions are done by 
the remote access server on a per-user basis. The 

20 remote access server will identify and use access 
filters for each remote user which attempts to gain 
access to the network via the server. 

Per-user assignment of access filters is very 
different from other network restriction techniques 

25 such as per-port schemes and per-server schemes. With 
per-port filter assignment, each port of the server has 
one or more filters associated therewith and those 
filters are assigned to whichever remote computer 
happens to communicate through that port. With per- 

30 server filter assignment, the server has one or more 
filters associated therewith and those filters are 
assigned to whichever remote computers dial into that 
server. Both the per-port and per-server schemes, 
unlike per-user, do not provide a correspondence 
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between a remote user and a set of access filters. 
These two other schemes do not, unlike per-user, tie 
network access restriction to remote user identity. It 
therefore is not possible with either per-port or per- 
5 server to control network access precisely, as it is 
with per-user which is based on the identity of the 
remote user. 

Other objects , aspects, features, and advantages of 
the invention will become apparent from the following 
10 description and from the claims. 
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Brief Description of the Drawings 
In the drawings, like reference characters 
generally refer to the same parts throughout the 
different views. Also, the drawings are not 
5 necessarily to scale, emphasis instead generally being 
placed upon illustrating the principles of the 
invention. 

FIG. 1 is a diagram of a remote access system in 
which a remote access server according to the invention 
10 provides a remote user at a remote computer with access 
to a local computer network. 

FIG. 2 is a diagram of a remote access system shown 
in more detail than the system shown in FIG. 1. 

FIG. 3 is a flowchart of the steps a remote access 
15 server performs in order to provide a remote user at a 
remote computer with access to a local computer network 
according to the invention. 

FIG. 4 is a block diagram showing major components 
of a remote access server according to the invention. 
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Description 

Referring to FIG. 1, in a remote access system 10, 
a remote computer 12 is allowed access to a local 
computer network 14 by a remote access server 16. As 
5 will be described in more detail later with reference 
to FIG. 4, the remote access server 16 is itself a 
powerful programmable computer. In the disclosed 
embodiment, the remote access server 16 is a LanRover 
which is available from Shiva Corporation of 

10 Burlington, MA. A remote user 18 at the remote 

computer 12 initiates an attempt to gain access to the 
network 14 (and the network services and resources 
available thereon) via the remote access server 16 by 
entering a user identification (ID) string 20 into the 

15 remote computer 12. The user ID string is a pre- 
determined code which uniquely identifies the remote 
user, and it typically is assigned to the remote user 
by a network manager who has central control of and 
responsibility for the network 14 and the maintenance 
20 thereof. 

The user ID string 20 entered by the remote user 18 
is sent by the remote computer 12 to the remote access 
server 16 over telephone lines 22. The term telephone 
lines 22 is used herein to mean any digital and/or 

25 analog communication link or links used to transmit 

voice and/or data including wireless and cellular data 
links such as Cellular Digital Packet Data (CDPD) . In 
the disclosed embodiment, a modem 24 is connected to 
the remote computer 12, and another modem 26 is 

30 connected to the remote access server 16. The 

modems 24, 26 allow the remote computer 12 and the 
remote access server 16 to communicate over the 
telephone lines 22. Note that the modem 26 connected 
to the remote access server 16 could be part of the 
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server 16 (e.g., included within the server housing), 
as indicated by the dotted-line box 28 enclosing the 
server 16 and the modem 26 connected thereto. Also 
note that the modems 24, 26 could be Integrated 
5 Services Digital Network (ISDN) terminal adapters if 
the telephone lines 22 are the ISDN, or the modems 24, 
26 could be any of a variety of other switched-access 
devices . 

The remote access server 16 receives the user ID 
10 string 20 which was entered by the remote user 18 and 
sent by the remote computer 12. An optional user 
authentication procedure may occur at this time where a 
remote user proves his or her identity by entering a 
password, by reference to an authentication server 
15 database, or by any other method. Once the remote user 
is authenticated, that remote user is granted access to 
the network. Further authorization may occur in order 
for an authenticated user to become an authorized user 
and be granted access to specific network services. In 
20 any event, the server 16 uses the user ID string 20 to 
index into a database 30 and retrieve one or more 
access filters associated with the user ID string 20. 
The server 16 uses these access filters to control the 
remote user's access to the network 14 and the network 
25 services and resources available thereon. The 
database 30 can be resident in the remote access 
server 16, or it can be maintained on a node (e.g., a 
database server) on the network 14. The database 30 
includes a unique user ID string for each remote user 
and at least one access filter for each user ID string. 
The database 30 typically is maintained by a network 
manager who has central control of and responsibility 
for the network 14 and the maintenance thereof. The 
network manager generally controls (e.g., has the 
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authority and ability to define, add, and delete) 
remote user names and access filters. 

After the remote access server 16 identifies the 
access filters for this remote user based on the user 
5 ID string 20, the server 16 uses the filters to limit 
the remote user's network access. Every time the 
remote computer 12 attempts to communicate on the 
network 14 via the remote access server 16, the 
server 16 uses the access filters for that remote user 

10 to prevent the remote user from communicating with 
whatever network resources the filters indicate are 
off-limits to that remote user. 

An access filter can be data packets or words which 
identify particular network resources such as zones or 

15 devices. A zone is a pre-defined group of devices on 
the network 14 . A network device can include computers 
coupled directly to the local network 14, various 
servers (e.g., e-mail, database, etc.) coupled directly 
to the local network 14, and various other nodes on the 

20 network 14 such as printers and plotters. Whatever the 
network resource or resources identified in the access 
filter, the filter is used by the server 16 to prevent 
the remote user's remote computer 12 from communicating 
with the resource(s). Because the database 30 contains 

25 a particular set of access filters for certain remote 
users, the server 16 is able to match one or more 
filters to each access attempt by those remote users 
and to limit the network access of those remote users 
if the filters so dictate. 

30 Filters are protocol dependent and generally employ 

a look-up service that functions in the following 
manner. Various network services advertise their 
presence on the network. Requests for access to 
network services are processed by the remote access 
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server. The remote access server refers to another 
network server that contains an access list. If the 
user is identified as authorized by the access list, 
access is granted/ otherwise services are simply not 
5 identified as being available to the requesting user. 

In general, the remote access server 16 will not 
restrict network access unless the user ID string 20 
entered by the remote user 18 at the remote computer 12 
corresponds to one or more access filters in the 

10 database 30. That is, if the remote access server 16 
searches the database 30 but fails to find any access 
filters associated with the user ID string 20 which the 
remote user 18 entered at the remote computer 12 
(because, for example, the user ID string 20 is in the 

15 database 30 but there is no associated access filters 
listed in the database 30), the remote access server 16 
will not limit the network access for that remote user, 
and thus that remote user will be able to communicate 
freely on the network 14. In this situation, the 

20 remote access server 16 will pass all data packets from 
the remote computer 12 or the remote user 18 on to the 
network 14. 

The remote access server 16 ensures that each 
remote user 18 whose network access should be 

25 restricted as indicated by the access filters in the 
database 30 is in fact so restricted" every time that 
remote user 18 makes a remote access connection to the 
network 14 via the server 16, even though that remote 
user 18 may utilize a different remote computer 12 

30 every time a remote access connection is made. By 
linking network access to the identity of the 
individual remote users, the remote access server 16 
can effectively restrict remote users' network access 
to only those network resources authorized by a central 
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controller {i.e., the network manager who maintains the 
database 30 ) . 

The remote access system 10 shown generally in 
FIG. 1 is shown in more detail in FIG. 2. Referring to 
5 FIG. 2, the remote computer 12 is a portable laptop 
computer. In general, the remote computer 12 can be 
any type of portable computer (e.g., a laptop or a 
notebook), workstation, or personal computer (e.g., an 
IBM PC or compatible, an Apple Macintosh, or a Unix- 

10 based computer). The remote computer 12 generally must 
be able to function as a stand-alone computer system 
when not connected to a network, and as a full network 
node when it is dialed- in to the network 14 through the 
remote access server 16. For a remote Macintosh 

15 system, it generally is preferred that the computer 

have a 25 MHz 68030 processor. For a remote PC system, 
it generally is preferred that the computer have at 
least a 25 MHz 486 processor. 

The remote access system 10 described herein is not 

20 to be confused with a remote control system. In a 
remote control system, a remote user dials-in to the 
local network with his or her remote computer and takes 
control of a local computer on the network. Once the 
remote user's remote computer is connected to the local 

25 network in a remote control system, the remote user 
actually uses the local computer, not the remote 
computer. That is, only user-interface data (e.g., 
screen images and keyboard/mouse input) are transferred 
to the remote computer from the local computer; the 

30 remote computer acts as a dumb terminal in a remote 
control system. 

A remote control system is very different from the 
remote access system 10. In the remote access 
system 10, the remote computer 12 must perform 
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adequately by itself, with enough processing power , 
memory, and disk storage space to run (on the remote 
computer 12 itself) the remote user's chosen 
applications without relying upon the on-network 
5 communication speed which typically is much higher than 
the speed of the telephone line link 22. Some 
telephone lines 22 allow speeds of up to 28.8 kilobits 
per second whereas the local computer network 14 can 
operate in ranges from 1 to 100 megabits per second 

10 depending on the type of network. The local computer 
network 14 can be, for example, Ethernet or Token Ring. 

The remote computer 12 typically will have a- serial 
port 32 which is managed by a serial controller such as 
a 16550A serial controller chip which can receive or 

15 transmit up to sixteen characters without intervention 
from the central processing unit (CPU) of the remote 
computer 12. The modem 24 connected to the serial 
port 32 can be, for example, a 24 00 bits per second or 
faster Hayes or Hayes compatible modem. A rate of 9600 

20 bits per second or above is recommended for the 

modem 24. The modem 24 also can be, for example, a 
V.32bis modem (14.4 kilobits per second) or an ISDN 
terminal adapter. The other modem 26 (which is not 
shown in FIG. 2 because it is internal to the remote 

25 access server 16) is selected to operate properly given 
the telephone lines 22 employed and the modem 24 
connected to the serial port 32. 

The network services and resources available on the 
network 14 which the remote user 18 might access via 

30 the remote access server 16 can include, for example, a 
Notes Server 46, an E-Mail Server 48, and a Database 
Server 50. The Database Server 50 can be used to 
maintain the database 30 of user names and access 
filters which was described previously with reference 
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to FIG. 1. 

The remote computer 12 can be loaded with network 
application software 34 and remote access client 
software 36. The remote access client software 36 can 
5 allow, for example, a Macintosh computer to use 

AppleTalk Remote Access (ARA), a Unix-based computer to 
use a Point-to-Point Protocol (PPP) implementation, and 
a PC-based computer to use any standard (if any) or 
vendor-supplied remote access clients. Briefly, a 

10 remote access client includes a "dialer" which 

establishes and terminates the remote access connection 
and a "driver" which interfaces with the network* 
protocol stacks and the serial port 32 to send and 
receive network data. The remote access client can 

15 operate with a variety of protocols including IPX, 
TCP/IP, NetBEUI, LLC/802.2, and AppleTalk. Novell's 
IPX is the native protocol for NetWare. TCP/IP is 
widely used in Unix-based systems and client-server 
databases, and TCP/IP also is becoming standard for 

20 many other applications. NetBEUI is used for LAN 
Manager and Microsoft's Windows for Workgroups. 
LLC/802.2 is for IBM LAN Server and host connectivity. 
The combination of AppleTalk and TCP/IP covers almost 
all Macintosh applications. 

25 The performance of the remote access server 16 is 

primarily determined by the ability to move data 
through its serial ports (shown in FIG . 4 but not in 
FIG. 2) without much attention from its CPU (also shown 
in FIG. 4 but not in FIG. 2). The performance of the 

30 server 16 also is determined by its CPU's ability to 
perform the routing, filtering, IP address tracking, 
etc. that the CPU must do without adding undue delays 
as it forwards data packets. The server 16 thus has 
generally been optimized for serial port throughput and 
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general CPU power. Because the server 16 must be 
highly reliable and efficient, it includes solid-state, 
non-volatile storage for the controlling software* The 
software is upgradeable via downloading from the 
5 network 14 to the server 16. The network manager can 
perform any upgrades . 

The software in the remote access server 16 causes 
the server 16 to perform the various functions 
described herein, although it should be noted that it 

10 is possible to use dedicated electronic hardware to 

perform all server functionality described herein. The 
steps which the server performs in order to control a 
remote user's access to a local computer network 
according to the invention are shown in FIG. 3. 

15 Referring to FIG. 3, it is first necessary to set- 

up the connections by coupling a communication port of 
the remote access server to the telephone lines 
(step 52) and coupling a network port of the remote 
access server to the local computer network (step 54). 

20 The server is now ready to receive a dial-in from a 
remote computer pver the telephone lines and to 
communicate on the local network. After the remote 
access server is set-up, the remote user can cause the 
remote computer to dial -in and connect to the server 

25 over the telephone lines. The remote user then enters 
into the remote computer a user ID string which the 
remote computer sends to the server over the telephone 
lines. The user ID string uniquely identifies that 
remote user. The remote access server receives the 

30 user ID string from the communication port (step 56). 
Note that after step 56, an optional user 
authentication procedure may occur where a remote user 
proves his or her identity by entering a password, by 
reference to an authentication server database, or by 
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any other method. Once the remote user is 
authenticated, that remote user is granted access to 
teh network. Further authorization may occur in order 
for an authenticated user to become an authorized user 
5 and be granted access to specific network services. In 
any event, the remote access server then uses the 
received user ID string to perform a look-up in the 
database of user ID strings and access filters 
(step 58). The remote access server retrieves from the 

10 database one or more access filters associated with the 
user ID string, if any (step 60). The remote access 
server then allows the remote computer to access -the 
local computer network and to communicate on the 
network, but the server uses the access filter(s) to 

15 prevent the remote computer from communicating with the 
network resource(s) identified by the access filter(s) 
associated with this remote user (step 62). 

Table 1 below shows the database. A variety of 
other configurations can be employed for the database. 

20 Also, the database can include different and/or 
additional parameters . 



25 



30 
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FILTER ( S ) 


N | 



TABLE 1 - Remote User Information Database 



Table 2 below shows an access filter for use in the 
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remote access system according to the invention. Other 
configurations of the access filter can be employed. 
Also, the access filter can include different and/or 
additional fields* As stated previously, access 
5 filters are protocol dependent. As shown in Table 2, a 
Name Binding Protocol (NBP) Filter includes a Show/Hide 
(S/H) field, and NBP name field, and a NBP type field. 



10 | S/H | NBP Name | NBP Type 



TABLE 2 - NBP Filter 

15 As shown in Table 3, a Zone Filter includes an S/H 
field and a Zone field. 



| S/H | Zone I 
20 

TABLE 2 - Zone Filter 

Referring now to FIG. 4, in one embodiment, the 
25 remote access server 16 includes electronics 38, a 

plurality of serial communication ports 40 i~ 40 n' and a 
plurality of network ports 42^-42 N . The server 16 also 
can include a plurality of internal modems 44^-44 N > 
The serial ports 40 and the network ports 42 are 
30 controlled by the electronics 38. 

The electronics 38 include, in some embodiments, a 
powerful 16 MHz 68EC02 0 microprocessor and memory such 
as up to 1 megabyte of battery backed-up static random 
access memory (SRAM) and possibly 64 kilobytes in an 
35 erasable programmable read only memory (EPROM). 

Each of the serial communication ports 40 is for 
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coupling with a communication device (e.g., the 
modem 26 of FIG. 1), or for coupling directly with the 
telephone lines 22, to provide for communication with a 
remote computer (e.g., the remote computer 12 of FIGS. 
5 1 and 2) over the telephone lines 22. A connecting 
cable can be used to couple a serial port 40 with the 
communication device or with the telephone lines. Each 
of the serial ports 40 can simultaneously be coupled to 
a different one of the plurality of remote computers so 
10 as to provide simultaneous access to a local computer 
network for each of the remote computers , even if each 
of the remote computers employs a different protocol 
(e.g., IPX, TCP/IP, AppleTalk, NetBEUI, or 802.2/LLC). 
In some embodiments, the server 16 includes either four 
15 or eight serial ports 40, and each port 40 is a DB-25 
asynchronous serial port which supports speeds of up to 
57.6 kilobits per second (kbps). In some other 
embodiments, the server 16 includes four 57.6 kbps 
ports 40 with an internal V.32bis modem 44 associated 
20 with each, and four high-speed (115.2 kbps) serial 

ports 40 with no internal modem associated therewith. 
In some other embodiments, the server 16 includes a 
single port 40 for use with ARA. 

Each of the network ports 42 is for coupling with a 
25 local computer network (e.g., the network 14 of FIGS. 1 
and 2), via a connecting cable, to provide for 
communication with the network. Typically, the 
server 16 is connected to only one network during 
normal operation. In some embodiments, the server 16 
30 includes three network ports 42, one for lOBaseT 
Ethernet, one for Thin Ethernet, and one for Thick 
Ethernet. In some other embodiments, the server 16 
includes a single network port 42 for Token Ring. In 
some other embodiments, the server 16 includes a single 
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network port 42 for use with Apple LocalTalk. 

The remote access server 16 shown functionally in 
FIG. 4 can be contained in a housing similar to that 
shown in FIG. 2. The housing is less than or equal to 
5 about 1.7 by 17 by 10 inches. The housing can be made 
rack-mountable . 

Other modifications and implementations will occur 
to those of ordinary skill in the art without departing 
from the spirit and the scope of the invention as 
10 claimed. Accordingly , the invention is to be defined 
not by the preceding illustrative description but 
instead by the following claims. 

What is claimed is: 
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Claims 

1 1. A method for limiting access to a local 

2 computer network, comprising: 

3 receiving a user identification string from a 

4 communication port, the string having been entered by a 

5 remote user at a remote computer which is coupled to 

6 the communication port, the string identifying the 

7 remote user; 

8 using the user identification string to access a 

9 database and determine at least one access filter 

10 associated with the user identification string, the 

11 access filter for preventing the remote computer from 

12 communicating with at least one predetermined resource 

13 on a local computer network, the database including a 

14 user identification string for each remote user and at 

15 least one access filter for each user identification 

16 string; 

17 allowing the remote computer to access the local 

18 computer network and to communicate on the local 

19 computer network; and 

20 using the access filter to prevent the remote 

21 computer from communicating with the predetermined 

22 resource on the local computer network. 

1 2. The method of claim 1 further comprising 

2 maintaining the database. 

1 3. The method of claim 1 further comprising 

2 coupling a communication device to the communication 

3 port for communicating with the remote computer. 

1 4 . The method of claim 3 wherein the communication 

2 port is a serial port. 
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1 5. The method of claim 4 wherein the communication 

2 device is a modem. 

1 6. A method for limiting access to a local 

2 computer network f comprising: 

3 providing a communication port to provide for 

4 communication with a remote computer; 

5 coupling a network port to a local computer network 

6 to provide for communication with the local computer 

7 network; 

8 receiving a user identification string from the 

9 communication port, the string having been entered by a 

10 remote user at a remote computer which is coupled to 

11 the communication port, the string identifying the 

12 remote user; 

13 using the user identification string to access a 

14 database and determine at least one access filter 

15 associated with the user identification string, the 

16 access filter for preventing the remote computer from 

17 communicating with at least one predetermined resource 

18 on a local computer network, the database including a 

19 user identification string for each remote user and at 

20 least one access filter for each user identification 

21 string; 

22 allowing the remote computer to access the local 

23 computer network and to communicate on the local 

24 computer network; and 

25 using the access filter to prevent the remote 

26 computer from communicating with the predetermined 

27 resource on the local computer network. 

1 7. The method of claim 6 further comprising 

2 coupling a plurality of communication ports such that a 
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3 plurality of remote computers are provided simultaneous 

4 limited access to the local computer network. 

1 8. The method of claim 6 further comprising 

2 maintaining the database. 

1 9. The method of claim 6 further comprising 

2 coupling a communication device to the communication 

3 port for communicating with the remote computer. 

1 10. The method of claim 9 wherein the 

2 communication port is a serial port. 

1 11. The method of claim 10 wherein the 

2 communication device is a modem. 

1 12. A server for limiting access to a local 

2 computer network, comprising: 

3 at least one communication port to provide for 

4 communication with a remote computer; 

5 at least one network port for coupling to a local 

6 computer network to provide for communication with the 

7 local computer network; and 

8 processing electronics for: 

9 controlling the communication port and the 

10 network port, 

11 receiving from the communication port a user 

12 identification string which was entered by a remote 

13 user at a remote computer and which identifies the 

14 remote user, 

15 using the user identification string to access 

16 a database and determine at least one access filter 

17 associated with the user identification string, the 

18 access filter for preventing the remote computer from 
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19 communicating with at least one predetermined resource 

20 on the local computer network, the database including a 

21 user identification string for each remote user and at 

22 least one access filter for each user identification 

23 string, 

24 allowing the remote computer to access the 

25 local computer network and to communicate on the local 

26 computer network, and 

27 using the access filter to prevent the remote 

28 computer from communicating with the predetermined 

29 resource on the local computer network. 

1 13. The server of claim 12 further comprising a 

2 plurality of communication ports such that a plurality 

3 of remote computers are provided simultaneous access to 

4 the local computer network through the server. 

1 14. The server of claim 12 wherein the processing 

2 electronics includes a microprocessor and memory. 

1 15. The server of claim 12 wherein the database is 

2 maintained internally by the server. 

1 16. The server of claim 12 wherein the database is 

2 maintained on the local computer network and -external 

3 from the server. 

1 17. The server of claim 12 further comprising a 

2 communication device coupled to the communication port 

3 for communicating with the remote computer. 

1 18* The server of claim 17 wherein the 

2 communication port is a serial port. 
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1 19. The server of claim 18 wherein the 

2 communication device is a modem. 
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